No. 15-3690

IN THE UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT

DANIEL B. STORM, et al., Appellants

v. PAYTIME, INC.,

Appellee

On Appeal from the United States District Court

for the Middle District of Pennsylvania Case No. 14-cv-1138

The Hon. John E. Jones III

BRIEF OF AMICUS CURIAE ELECTRONIC PRIVACY

INFORMATION CENTER (EPIC) IN SUPPORT OF APPELLANTS

Marc Rotenberg Counsel of Record Alan Butler Claire Gartland Aimee Thomson Electronic Privacy Information Center 1718 Connecticut Ave. N.W. Suite 200 Washington, D.C. 20009 (202) 483-1140

April 18, 2016

ii

CORPORATE DISCLOSURE STATEMENT

Pursuant to Federal Rule of Appellate Procedure 26.1 and 29(c), amicus

curiae Electronic Privacy Information Center (“EPIC”) certifies that it is a District

of Columbia corporation with no parent corporation. No publicly held company

owns 10% or more of EPIC stock.

iii

TABLE OF CONTENTS

TABLE OF AUTHORITIES ................................................................................ iv

INTEREST OF THE AMICUS ............................................................................. 1

SUMMARY OF THE ARGUMENT .................................................................... 1

ARGUMENT ........................................................................................................... 2

I.Data breaches expose American consumers to unprecedented threats of

identity theft and fraud. ...................................................................................... 4

A. Americans have suffered an epidemic of data breaches since the Reilly

decision. ............................................................................................................. 4

B. The most severe data breaches involve the disclosure of Social Security

Numbers and financial information, which creates a serious risk of fraud and

identity theft. .................................................................................................... 10

C. Identity theft causes especially pernicious and long-lasting harm to

consumers, far beyond the costs of simple credit card fraud. .......................... 13

D. Companies need to take adequate precautions in order to avoid data

breaches. ........................................................................................................... 20

II.Companies that collect and store sensitive consumer data are in the best

position to prevent data breaches, and should be held liable when they fail

to adopt reasonable data security measures. .................................................. 25

CONCLUSION ..................................................................................................... 31

iv

TABLE OF AUTHORITIES CASES Friends of the Earth, Inc. v. Laidlaw Envtl. Serv. (TOC), Inc., 528 U.S. 693

(2000) .................................................................................................................. 30 FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) ............. 22, 24, 29 Lujan v. Defs. of Wildlife, 504 U.S. 555 (1992) ........................................................ 3 Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015)...................... 2 Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014) ..................................... 3 OTHER AUTHORITIES Aaron Sankin, How to Change Your Social Security Number If You Get

Hacked, Daily Dot (June 17, 2015) ..................................................................... 19 Aarti Shahani, Theft of Social Security Numbers Is Broader Than You Might

Think, NPR (June 15, 2015) ................................................................................ 16 Anthem, How to Access & Sign Up For Identity Theft Repair & Credit

Monitoring Services (Aug. 25, 2015) .................................................................... 8 Anthony Giorgianni, Should You Freeze Your Credit File?, Consumer

Reports (Feb. 22, 2014) ....................................................................................... 20 Brian Krebs, In Wake of Confirmed Breach at Home Depot, Banks See Spike

in PIN Debit Card Fraud, Krebs on Security (Sept. 8, 2014) ............................. 14 Brian Krebs, Inside Target Corp., Days After 2013 Breach, Krebs on Security

(Sept. 21, 2015) ................................................................................................... 21 Brian Krebs, Online Cheating Site AshleyMadison Hacked, Krebs on Security

(July 19, 2015) ....................................................................................................... 7 Brian Krebs, OPM (Mis)Spends $133M on Credit Monitoring, Krebs on

Security (Sept. 15, 2015) ..................................................................................... 19 Brief for EPIC and Thirty-Three Technical Experts and Legal Scholars as

Amicus Curiae Supporting Respondents, FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) (No. 14-3514) ............................................. 24

Brief for EPIC as Amicus Curiae Supporting Appellants, Gordon v. Softech Intern., Inc., 726 F.3d 42 (2d Cir. 2013) (No. 12-661) ....................................... 26

Caroline Humer & Jim Finkle, Your Medical Record Is Worth More to Hackers Than Your Credit Card, Reuters (Sept. 24, 2014) ................................ 17

Cybsersecurity and Data Protection in the Financial Sector: Hearing Before the Subcomm. on Fin. Inst. & Consumer Credit of the H. Comm. on Fin. Servs., 112th Cong. (Sept. 14, 2011) (testimony of Marc Rotenberg, Executive Director, EPIC) ................................................................................... 22

Danielle Keats Citron, Reservoirs of Danger: the Evolution of Public and Private Law at the Dawn of the Information Age, 80 Southern Cal. L. Rev. 241 (2007) ............................................................................................... 26, 27, 28

v

Def. Sci. Bd. Task Force on Comput. Sec., Security Controls for Computer Systems (1970) ..................................................................................................... 22

Dell SecureWorks, Underground Hacker Markets (2016) ..................................... 13 eBay, eBay Inc. to Ask eBay Users to Change Passwords (May 21, 2014) ............. 9 EPIC, Social Security Numbers (2016) ................................................................... 14 Erika Harrell, Ph.D., Bureau of Justice Statistics, NCJ 248991, Victims of

Identity Theft, 2014 (Sept. 2015) ................................................................. 5, 6, 15 Ernie Hayden, Data Breach Protection Requires New Barriers,

SearchSecurity (May 2013) ................................................................................. 23 Excellus, Notice Of Cyberattack Affecting Excellus Bluecross Blueshield

(2015) .................................................................................................................... 6 FTC, Consumer Sentinel Network Data Book (Feb. 2016) ...................................... 6 FTC, Guide for Assisting Identity Theft Victims (Sept. 2013) .................... 18, 19, 20 Guido Calabresi, The Costs Of Accidents: A Legal And Economic Analysis

(1970) ............................................................................................................ 25, 26 Harold Demsetz, When Does the Rule of Liability Matter?, 1 J. Legal. Stud.

13 (1972) ............................................................................................................. 26 Home Depot, The Home Depot Reports Findings in Payment Data Breach

Investigation (Nov. 6, 2014) .................................................................................. 9 IBM, Winning the Battle of the Breach (2015) ................................................. 22, 24 Identity Theft Res. Ctr., 2015 Data Breaches .......................................................... 5 Identity Theft Res. Ctr., 2016 Data Breach Stats (Apr. 12, 2016) ....................... 4, 5 Identity Theft Res. Ctr., Data Breach Reports (Dec. 31, 2014) ........................... 5, 9 Identity Theft Res. Ctr., Data Breach Reports (Dec. 31, 2015) ................... 5, 6, 7, 8 Identity Theft Res. Ctr., Identity Theft: The Aftermath (2014) ............................... 13 Identity Theft Res. Ctr., ITRC Breach Statistics 2005 – 2015 (2016) ...................... 4 Identity Theft Res. Ctr., The Limits of ID-Theft Protection and Credit

Monitoring (Aug. 10, 2015) ................................................................................ 19 Jessica Silver-Greenberg, Matthew Goldstein, & Nicole Perlroth, JPMorgan

Chase Hacking Affects 76 Million Households, N.Y. Times (Oct. 2, 2014) ......... 9 Kim Zetter, Four Indicted in Massive JP Morgan Chase Hack, Wired (Nov.

10, 2015) ................................................................................................................ 9 Kroll, Data Breach Prevention Tips (2015) ............................................... 22, 23, 24 Laura Shin, Why Medical Identity Theft Is Rising and How to Protect

Yourself, Forbes (May 29, 2015) ......................................................................... 18 Lillian Ablon, Martin C. Libicki, & Andrea A. Golayix, RAND Corp.,

Markets for Cybercrime Tools and Stolen Data (2014) ...................................... 12 Maggie McGrath, Target Data Breach Spilled Info On As Many As 70 Million

Customers, Forbes (Jan. 10, 2014) ...................................................................... 10

vi

Memorandum for the Heads of Executive Departments and Agencies from Clay Johnson III, Deputy Director of Management, Office of Mgmt. & Budget, M-07-16 (May 22, 2007) ................................................................. 11, 12

Michael Riley et al., Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, Bloomberg (Mar. 17, 2014) ........................ 10, 21

Nancy Mann Jackson, Identity Theft Insurance: How Does It Work and Will It Save Your Good Name?, Bankrate (June 15, 2015) ............................................ 28

Office of Pers. Mgmt., Cybersecurity Resource Center ....................................... 7, 8 Office of Pers. Mgmt., Office of the Inspector Gen., 4A-CI-00-15-011, Final

Audit Report: Federal Information Security Modernization Act Audit FY 2015 (Nov. 10, 2015) .......................................................................................... 21

Ponemon Inst., Fifth Annual Study on Medical Identity Theft (Feb. 2015) ............ 17 Premera BlueCross, About the Cyberattack (2016) .................................................. 8 Privacy Rights Clearinghouse, Chronology of Data Breaches (2016) ................... 11 Priya Anand, Is Identity-Theft Insurance a Waste of Money? MarketWatch

(Mar. 31, 2014) .................................................................................................... 28 Richard A. Posner, Economic Analysis of Law (3d ed. 1986) ................................ 29 Richard Coase, The Problem of Social Cost, 3 J. Law & Econ. 1 (1960) .............. 25 Robin Sidel, Home Depot’s 56 Million Card Breach Bigger Than Target’s,

Wall. St. J. (Sept. 18, 2014) ................................................................................... 9 Ross Miller & Frank Bi, Here’s Every Type of Data Exposed in the Ashley

Madison Hack, Verge (Aug. 19, 2015) ................................................................. 7 Soc. Sec. Admin., Can I Change My Social Security Number? (Mar 11, 2016) .... 15 Soc. Sec. Admin., Identity Theft and Your Social Security Number (Feb.

2016) .................................................................................................................... 16 Submitted Breach Notification Sample, The Whiting-Turner Contracting

Company (Mar. 8, 2016) ..................................................................................... 11 Symantec, 6 Steps to Prevent a Data Breach (Nov. 2009) ..................................... 22 T-Mobile, Frequently Asked Questions About the Experian Incident (Oct. 8,

2015) ...................................................................................................................... 6 U.S. Gov’t Accountability Office, GAO-14-34, Agency Responses to

Breaches of Personally Identifiable Information Need to Be More Consistent (2013) ................................................................................................ 14

U.S. Gov’t Accountability Office, GAO-16-589T, IRS Needs to Further Improve Controls Over Taxpayer Data and Continue to Combat Identity Theft Refund Fraud (2016) .................................................................................. 18

Understanding Consumer Attitudes About Privacy: Hearing Before the Subcomm. on Commerce, Manufacturing, and Trade of the House Comm. on Energy and Commerce (Oct. 13, 2011) .......................................................... 27

vii

Verge Staff, The Ashley Madison Hack: Everything You Need To Know, Verge (Aug. 31, 2015) ........................................................................................... 7

Verizon, 2013 Data Breach Investigations Report (2013) ............................... 13, 21 White House, Consumer Data Privacy in a Networked World: A Framework

for Protecting Privacy and Promoting Innovation in the Global Economy (Feb. 23, 2012) .................................................................................................... 23

White House, Fact Sheet: Safeguarding American Consumers & Families (Jan. 12, 2015) ..................................................................................................... 29

Worldwide Threat Assessment of the US Intelligence Community: Hearing Before the Senate Armed Services Committee, 114th Cong. (2016) ..................... 5

1

INTEREST OF THE AMICUS

The Electronic Privacy Information Center (“EPIC”) is a public interest

research center in Washington, D.C., established in 1994 to focus public attention

on emerging civil liberties issues and to protect privacy, the First Amendment, and

other Constitutional values.1 EPIC routinely participates as amicus curiae before

federal and state courts in cases concerning consumer privacy rights. See Mot. for

Leave to File Amicus Br.

SUMMARY OF THE ARGUMENT

America faces an epidemic of data breaches that has exposed millions of

consumers to identity theft and financial fraud. Criminals trade in stolen Social

Security Numbers (“SSNs”), credit card numbers, and personal information. In the

face of this national threat, the Court should not deny individuals the right to seek

remedies for the failure of companies to protect their sensitive personal

information. Raising standing barriers to legitimate claims will only allow the

continued escalation of identity theft in the United States.

When the Court addressed this issue five years ago in Reilly v. Ceridian

Corp., 664 F.3d 38 (3d Cir. 2011), the problem of identity theft was not well

understood and the information on data breach not readily available. Since that

time, the problems of identity theft and data breach have become a central concern

of lawmakers and courts across the country. Courts have now recognized that

1 In accordance with Rule 29, the undersigned states that no monetary contributions were made for the preparation or submission of this brief. This brief was not authored, in whole or in part, by counsel for a party.

2

individuals whose personal information was stolen need not prove damages before

they get through the courthouse door. See Remijas v. Neiman Marcus Grp., LLC,

794 F.3d 688, 693–94 (7th Cir. 2015).

Given the understanding today of the scope of the problem, this Court

should hold that a data breach is an “injury-in-fact” that gives rise to Article III

standing. For the purposes of establishing standing, courts should not require that

the downstream consequences—untangling a stolen identity, recovering

unauthorized payments, or repairing damaged credit—have already occurred

before a plaintiff can bring suit. The plaintiff may need to establish harm to recover

damages, but that issue is separate from consideration of standing and Article III

jurisdiction.

If the Court does not permit individuals whose personal information has

been mishandled and obtained by criminals to pursue redress, the problems of data

breach and identity theft will only get worse. Many data breaches are avoidable;

companies that collect and store sensitive information are in the best position to

take the reasonable measures necessary to protect the data. Shielding these

companies, who have chosen to collect and use personal information, from liability

will remove the incentives to adopt necessary data security measures.

ARGUMENT

The lower court in this case has misconstrued the Supreme Court’s standing

doctrine in order to deny plaintiffs the opportunity to seek remedies for a data

breach even where they allege that (1) their data was improperly accessed and (2)

their legally protected interest was invaded. The law demands no further proof at

3

the pleading stage from a plaintiff who has established an actual, concrete invasion

of their interests. Speculation as to the future consequences need not be considered

at this stage, nor is it appropriate for the court to consider how “burdensome”

potential liability might be to future defendants. Mem. Op. 19.

The doctrine of standing “gives meaning to [the] constitutional limits”

imposed by the Article III, which “limits the jurisdiction of federal courts to

‘Cases’ and ‘Controversies.’” Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334,

2341 (2014). This doctrine is “built on separation-of-powers principles” and

requires that a plaintiff show an “injury in fact” to ensure that she “has a ‘personal

stake in the outcome of the controversy.’” Id. An injury-in-fact is “an invasion of a

legally protected interest which is (a) concrete and particularized and (b) actual or

imminent, not conjectural or hypothetical.” Lujan v. Defs. of Wildlife, 504 U.S.

555, 560 (1992). Where a plaintiff sues to prevent a future injury, an allegation

“may suffice if the threatened injury is ‘certainly impending,’ or there is a

‘substantial risk’ that the harm will occur.” Susan B. Anthony, 134 S. Ct. at 2341.

In data breach cases, the legal injury is the very fact—undisputed in this and

other data breach cases—that third parties stole plaintiffs’ sensitive personal

information, a violation of their legally protected interest.2 Whether defendants are

liable for the downstream consequences caused by that breach, and how those

consequences should be quantified, are simply irrelevant to the standing analysis.

2 For example, Plaintiffs in Storm allege negligence, breach of contract, and violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.

4

The risk consumers face today is simply too great for courts to create

unnecessary barriers to hold companies accountable for lax security practices. This

Court could not have known when it issued its decision in Reilly that data breaches

and identity theft would be one of the leading sources of harm to American

consumers within five years. But the problem can no longer be ignored, and

companies that collect personal information must be accountable if they fail to

adopt reasonable data protection measures.

I. Data breaches expose American consumers to unprecedented threats of identity theft and fraud.

A. Americans have suffered an epidemic of data breaches since the Reilly decision.

Since this Court decided Reilly in 2011, there have been nearly 2,900

publically reported data breaches3 in the United States. Identity Theft Res. Ctr.,

2016 Data Breach Stats 9 (Apr. 12, 2016)4 (detailing 247 breaches in 2016 as of

April 12); Identity Theft Res. Ctr., ITRC Breach Statistics 2005 – 2015, at 1

(2016)5 (detailing 471 breaches in 2012, 614 in 2013, 783 in 2014, and 781 in

2015). In 2015 alone there were 781 breaches, of which 38% were caused by

hacking, 15% by employee error or negligence, 14% by accidental email or

3 A data breach is “as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure.” Identity Theft Resource Center, Data Breaches, http://www.idtheftcenter.org/id-theft/data-breaches.html (last visited Apr. 12, 2016). 4 http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReport2016.pdf. 5 http://www.idtheftcenter.org/images/breach/2005to2015multiyear.pdf (last visited Apr. 12, 2016).

5

internet exposure, 11% by insider theft, and 11% by physical theft. Identity Theft

Res. Ctr., 2015 Data Breaches.6 Data breaches since 2014 have exposed at least

266 million records containing personally identifiable information. 2016 Data

Breach Stats, supra (at least 11,270,651 records exposed in 2016 as of April 12);

Identity Theft Res. Ctr., Data Breach Reports 4 (Dec. 31, 2015)7 [hereinafter ITRC

2015 Report] (at least 169,068,506 records exposed in 2015); Identity Theft Res.

Ctr., Data Breach Reports 4 (Dec. 31, 2014)8 [hereinafter ITRC 2014 Report] (at

least 85,611,528 records exposed in 2014).

Data breaches are so dangerous that the U.S. Director of National

Intelligence has repeatedly ranked cybercrime as a top global threat. E.g.,

Worldwide Threat Assessment of the US Intelligence Community: Hearing Before

the Senate Armed Services Committee, 114th Cong. 1 (2016) (statement of James

R. Clapper, Director of National Intelligence).9 According to the most recent report

by the Department of Justice, more than seventeen million Americans were the

victims of identity theft in 2014. See Erika Harrell, Ph.D., Bureau of Justice

Statistics, Victims of Identity Theft, 2014, at 1 (Sept. 2015) [hereinafter Victims of

Identity Theft 2014].10 That year, identity theft cost American consumers more than

6 http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html (last visited Apr. 12, 2016). An additional nine percent were caused by a subcontrator or third party, and 7.3 percent by data on the move. Id. 7 http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf. 8 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf. 9 http://www.dni.gov/files/documents/SASC_Unclassified_2016_ATA_SFR_FINAL.pdf. 10 http://www.bjs.gov/content/pub/pdf/vit14.pdf.

6

fifteen billion dollars. Id. at 7 (outpacing fourteen billion in losses from burglary,

automobile theft, and theft). In 2015, the Federal Trade Commission (“FTC”)

received nearly half a million identity theft complaints from American consumers,

a 47% increase from 2014. See FTC, Consumer Sentinel Network Data Book 5

(Feb. 2016).11

Some of the most serious data breaches of the past five years include:

• T-Mobile/Experian (2015). In October 2015, T-Mobile announced a breach

of data housed on an Experian server. T-Mobile, Frequently Asked

Questions About the Experian Incident (Oct. 8, 2015);12 see ITRC 2015

Report, supra, at 45. The hackers stole names, addresses, SSNs, birthdates,

identification numbers (e.g., driver’s license, military ID, or passport

number), and other information for 15 million customers. T-Mobile, supra;

ITRC 2015 Report, supra, at 45.

• Excellus BlueCross BlueShield / Lifetime Healthcare (2015). In September

2015, a health insurer announced that an attack had exposed names,

birthdates, SSNs, mailing addresses, telephone numbers, member ID

numbers, financial account information, and claim information. Excellus,

Notice Of Cyberattack Affecting Excellus Bluecross Blueshield (2015);13

ITRC 2015 Report, supra, at 52–53.

11 https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-january-december-2015/160229csn-2015databook.pdf. 12 https://www.t-mobile.com/landing/experian-data-breach-faq.html. 13 http://www.excellusfacts.com/.

7

• Ashley Madison (2015). In July 2015, hackers stole billing records and

account information from an adult social network catering to unfaithful

spouses. Brian Krebs, Online Cheating Site AshleyMadison Hacked, Krebs

on Security (July 19, 2015);14 see Verge Staff, The Ashley Madison Hack:

Everything You Need To Know, Verge (Aug. 31, 2015).15 The hackers later

made these private details publicly available, exposing the names,

relationship status, address, phone numbers, birthdates, and personal

attributes of some 36 million users, along with 9.6 million billing records

from the users who paid to keep their accounts private. Ross Miller & Frank

Bi, Here’s Every Type of Data Exposed in the Ashley Madison Hack, Verge

(Aug. 19, 2015).16

• Office of Personnel Management (2015). In June 2015, the U.S. Office of

Personnel Management (“OPM”) announced that it had suffered two attacks.

Office of Pers. Mgmt., Cybersecurity Resource Center;17 see ITRC 2015

Report, supra, at 91, 98–99. One attack resulted in the theft of background

investigation reports for current, former, and prospective federal government

employees, including the SSNs of 21.5 million individuals and 5.6 million

fingerprints. OPM, supra; ITRC 2015 Report, supra, at 91. Earlier that year,

14 http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/. 15 http://www.theverge.com/2015/8/19/9178965/ashley-madison-hacked-news-data-names-list. 16 http://www.theverge.com/2015/8/19/9179037/ashley-madison-data-hack-name-address-phone-birthday/in/8943006. 17 https://www.opm.gov/cybersecurity/cybersecurity-incidents/ (last visited Apr. 12, 2016).

8

attackers stole the personnel data of 4.2 million current and former federal

government employees, including full names, birth dates, home addresses,

and SSNs. OPM, supra; ITRC 2015 Report, supra, at 98–99.

• Premera BlueCross (2015). In March 2015, health insurance provider

Premera announced that hackers gained accessed to names, birthdates,

addresses, telephone numbers, SSNs, member ID numbers, bank account

information, and claim information of 11 million customers. Premera

BlueCross, About the Cyberattack (2016);18 ITRC 2015 Report, supra, at

136–37. The hackers also gained access to private health information.

Premera, supra.

• Anthem (2015). In February 2015, health insurance giant Anthem

announced that a breach exposed the names, birthdates, SSNs, health care ID

numbers, home addresses, email addresses, and employment information for

78.8 million people. ITRC 2015 Report, supra, at 152; Anthem, How to

Access & Sign Up For Identity Theft Repair & Credit Monitoring Services

(Aug. 25, 2015).19

• JPMorgan Chase (2014). In October 2014, JPMorgan Chase disclosed that

a breach had “compromised the accounts of 76 million households and seven

million small businesses,” gaining names, addresses, phone numbers, and

emails. Jessica Silver-Greenberg, Matthew Goldstein, & Nicole Perlroth,

18 https://www.premera.com/wa/visitor/about-the-cyberattack/. 19 https://www.anthemfacts.com/.

9

JPMorgan Chase Hacking Affects 76 Million Households, N.Y. Times (Oct.

2, 2014).20 Federal authorities ultimately indicted four men for the hack,

along with attacks on other financial institutions that disclosed the personal

information of more than 100 million individuals. Kim Zetter, Four Indicted

in Massive JP Morgan Chase Hack, Wired (Nov. 10, 2015).21

• Home Depot (2014). In September 2014, Home Depot announced that a

five-month attack on its payment terminals compromised 56 million credit

and debit cards and 53 million email addresses. ITRC 2014 Report, supra, at

57; Home Depot, The Home Depot Reports Findings in Payment Data

Breach Investigation 1 (Nov. 6, 2014);22 Robin Sidel, Home Depot’s 56

Million Card Breach Bigger Than Target’s, Wall. St. J. (Sept. 18, 2014).23

• eBay (2014). In May 2014, eBay announced that a breach had compromised

a database containing names, encrypted passwords, email addresses,

physical addresses, phone numbers, and birthdates for its 145 million users.

ITRC 2014 Report, supra, at 103; eBay, eBay Inc. to Ask eBay Users to

Change Passwords (May 21, 2014).24

20 http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/. 21 http://www.wired.com/2015/11/four-indicted-in-massive-jp-morgan-chase-hack/. 22 https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf. 23 http://www.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571. 24 https://investors.ebayinc.com/releasedetail.cfm?releaseid=849396.

10

• Target (2013). In November 2013, cybercriminals installed malware on

Target’s security and payment systems “designed to steal every credit card

used at the company’s 1,797 U.S. stores.” Michael Riley et al., Missed

Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,

Bloomberg (Mar. 17, 2014).25 The hackers stole 40 million credit and debit

card numbers, and personal information (names, addresses, phone numbers,

and email addresses) of 70 million customers. Maggie McGrath, Target

Data Breach Spilled Info On As Many As 70 Million Customers, Forbes

(Jan. 10, 2014).26

B. The most severe data breaches involve the disclosure of Social Security Numbers and financial information, which creates a serious risk of fraud and identity theft.

Not all data breaches are created equal. Some breaches are the result of

highly sophisticated attacks carried out by anonymous hackers, while others

involve physical theft of computers or storage devices containing sensitive records.

In some cases the data breached includes highly sensitive information—like SSNs

and financial accounts—but other cases involve more generic data that might only

be revealing in a specific context. The severity of a data breach will depend on

these and other factors. See Memorandum for the Heads of Executive Departments

25 http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data. 26 http://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#40c74dec6bd1.

11

and Agencies from Clay Johnson III, Deputy Director of Management, Office of

Mgmt. & Budget, M-07-16, at 14–15 (May 22, 2007) [hereinafter OMB Memo].27

Data breaches typically fall into one of three categories: (1) physical theft or

misappropriation of devices that contain sensitive data; (2) unauthorized access by

an employee or contractor; and (3) intrusion by a remote, and likely unknown,

hacker. In each of those categories, the degree of intentionality and level of

exposure of the data can vary significantly. A review of recent data breaches

cataloged by the Privacy Rights Clearinghouse provides several useful examples of

these different types. See Privacy Rights Clearinghouse, Chronology of Data

Breaches (2016).28

One of the most severe types of breaches occurs when a hacker remotely

downloads sensitive files, as opposed to other more limited or temporary exposure

of sensitive information. When malicious hackers gain remote access to SSNs, it

poses a grave threat to the victims whose data is compromised. For example, a

Maryland contractor recently notified its employees of a breach of their payroll

data. See Submitted Breach Notification Sample, The Whiting-Turner Contracting

Company (Mar. 8, 2016).29 This breach resulted in the exposure of the name, date

of birth, and SSNs of employees and their children. Id. The company also received

reports that fraudulent taxes were filed in employees’ names. Id. As in most cases

27 https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf. 28 https://www.privacyrights.org/data-breach. 29 http://oag.ca.gov/system/files/Whiting%20Turner%20Contracting%20NOTICE%20only%20CA%20Regulator%20Notice%20Exhibits_0_1.pdf.

12

where malicious hackers are able to gain access to sensitive personal information,

the employees are now at serious risk of identity theft and fraud.

The Office of Management and Budget (“OMB”) has identified five factors

that should be considered when assessing the severity of a data breach: (1) the

nature of the data breached; (2) the number of individuals affected; (3) the

likelihood that the information is “accessible and usable”; (4) the likelihood that

the breach may lead to harm (both how broad the scope of the harm and how likely

it is to occur); and (5) the ability to mitigate the risk of harm. See OMB Memo,

supra, at 14–15.

There is little doubt that when a hacker infiltrates a system containing SSNs

and other sensitive personal information, their intent is to access and misuse that

data. The black markets where financial and identity information are sold to the

highest bidder are “growing in size and complexity,” and are now dominated by

“financially driven, highly organized, and sophisticated groups,” as a

comprehensive study by The RAND Corporation recently uncovered. Lillian

Ablon, Martin C. Libicki, & Andrea A. Golayix, RAND Corp., Markets for

Cybercrime Tools and Stolen Data, at ix (2014).30 These black markets “can be

more profitable than the illegal drug trade” and are increasingly resilient even to

repeated takedowns by law enforcement. Id. at 11, 17. While credit cards, bank

accounts, and other payment credentials are the most common type of data stolen

30 https://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf.

13

by financially motivated hackers, personal data is also primarily stolen for

financial gain. See Verizon, 2013 Data Breach Investigations Report 46 (2013).31

A hacker who steals such data can profit in a way that is undetectable to the

victim. The dossiers of personal data that can be used to commit fraud—including

name, address, and SSN in combination with financial data—are referred to as

“Fullz” and can be sold in bulk for as much as $15 per victim. Dell SecureWorks,

Underground Hacker Markets 14 (2016).32 Once the data breach occurs, the

damage is already done and there is nothing the victim can do to reclaim their

personal information.

C. Identity theft causes especially pernicious and long-lasting harm to consumers, far beyond the costs of simple credit card fraud.

Identity theft is not limited to fraudulent credit card charges. When a

criminal gains access to an individual’s SSN, they can obtain tax refunds and

government benefits, receive medical goods and services, apply for employment,

and even commit crimes in the victim’s name. See Identity Theft Res. Ctr., Identity

Theft: The Aftermath 13 (2014).33 To make matters worse, a stolen SSN, unlike a

stolen credit card, cannot be effectively cancelled or replaced.

The U.S. Government Accountability Office has recognized that “the loss of

PII contributes to identity theft,” but that “it might take a long time” for the harms

31 http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf. 32 https://www.secureworks.com/resources/rp-2016-underground-hacker-marketplace-report. 33 http://www.idtheftcenter.org/images/surveys_studies/Aftermath2014FINAL.pdf.

14

to manifest or be uncovered by the victim. U.S. Gov’t Accountability Office,

GAO-14-34, Agency Responses to Breaches of Personally Identifiable Information

Need to Be More Consistent 11 (2013).34 Past victims have “lost job opportunities,

been refused loans, or even been arrested for crimes they did not commit as a result

of identity theft.” Id. Yet these harms do not appear on the victim’s bank statement

or credit report, and they are nearly impossible to control because of the role the

SSN plays as a government and private-sector identifier.

1. SSNs are key to identity theft, but are virtually impossible to replace

The plaintiffs in this case face acute risk because their SSNs and other

identifying information were breached. SSNs are the key to our financial,

government, and private sector records systems. No other form of identification

plays a more significant role in record-linkage, or poses a greater risk to personal

privacy. See EPIC, Social Security Numbers (2016).35 The SSN is used as both an

identifier and an authenticator. Id. Put another way, the SSN is both the username

and password for an individual’s identity. Id.

Criminals in possession of SSNs can open new financial accounts and

perpetrate identity theft because many financial institutions rely on SSNs to verify

transactions. See Brian Krebs, In Wake of Confirmed Breach at Home Depot,

Banks See Spike in PIN Debit Card Fraud, Krebs on Security (Sept. 8, 2014).36

34 http://www.gao.gov/assets/660/659572.pdf. 35 https://www.epic.org/privacy/ssn/. 36 http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/.

15

The FTC has recognized that SSNs are the “keys to the kingdom” for identity

thieves and that the resulting harm to consumers and businesses is a “major

problem in this country, with victims numbering in the millions each year” and

losses “in the billions.” FTC, Security in Numbers: SSNs and ID Theft 2 (Dec.

2008).37

The Bureau of Justice Statistics found that “[v]ictims experiencing the

opening of a new account or the misuse of personal information had greater [out-

of-pocket] loss than those experiencing misuse of an existing credit card or bank

account.” See Victims of Identity Theft 2014, supra, at 7. These identity theft

victims are also more likely to have unresolved problems more than a year later.

Id. at 13.

A breach of an individual’s SSN causes permanent and irreparable damage

to the security of that person’s identity, but it is extremely difficult to obtain a

replacement number. While the Social Security Administration (“SSA”) can issue

replacement SSNs, it does so only in limited circumstances, such as “harassment,

abuse, or life endangerment.” Soc. Sec. Admin., Can I Change My Social Security

Number? (Mar 11, 2016).38 Identity theft victims must reach this desperate state

before the agency might consider issuing a replacement. The SSA assigns new

numbers only if “you’ve done all you can to fix the problems resulting from

37 https://www.ftc.gov/sites/default/files/documents/reports/security-numbers-social-security-numbers-and-identity-theft-federal-trade-commission-report/p075414ssnreport.pdf. 38 https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can-I-change-my-Social-Security-number.

16

misuse of your SSN, and someone is still using your number.” Soc. Sec. Admin.,

Identity Theft and Your Social Security Number 6 (Feb. 2016) [hereinafter ID Theft

and Your SSN].39 In 2014, the SSA replaced only 250 SSNs due to identity theft

misuse. Aarti Shahani, Theft of Social Security Numbers Is Broader Than You

Might Think, NPR (June 15, 2015).40

Even if an identity theft victim has suffered such grievous harm to merit a

replacement SSN, problems will continue. The SSA has acknowledged the

inadequacy of replacement SSNs, stating that a “new number probably won’t

solve” your problems because “other governmental agencies” and businesses have

records tied to the old number, and “credit reporting agencies will [still] use the

number to identify your credit record.” ID Theft and Your SSN, supra, at 7.

2. Identity theft involves much more than fraudulent charges

Many of the problems caused by identity theft are much more difficult to

prevent and resolve than fraudulent credit card or bank charges. Criminals can use

stolen personal information to commit medical, tax, and other government benefit

fraud, to seek employment, and during the commission of other crimes. The

consequences for the victims can be dire.

a. Medical Identity Theft

Medical identity theft occurs when a victim’s name is used to fraudulently

obtain medical goods and services. Stolen patient data, often the target in health

39 https://www.ssa.gov/pubs/EN-05-10064.pdf. 40 http://www.npr.org/sections/alltechconsidered/2015/06/15/414618292/theft-of-social-security-numbers-is-broader-than-you-might-think.

17

care breaches, is “worth 10 times more than your credit card number on the black

market.” See Caroline Humer & Jim Finkle, Your Medical Record Is Worth More

to Hackers Than Your Credit Card, Reuters (Sept. 24, 2014).41 This data includes

names, dates of birth, insurance policy numbers, and billing information, and is

used to file false insurance claims and purchase medical supplies and drugs for

resale. Id. This type of identity theft is often undetected for years, making “medical

data more valuable than credit cards, which tend to be quickly canceled by banks

once fraud is detected.” Id.

Medical identity theft is particularly costly for consumers. According to a

recent study, 65% of medical identity theft victims had to spend on average

$13,500 and 200 hours to resolve the incident. See Ponemon Inst., Fifth Annual

Study on Medical Identity Theft 1, 2 (Feb. 2015).42 An estimated 2.32 million

Americans have been victims of medical identity theft, with nearly 500,000 new

cases in 2014 alone. Id. at 8.

The non-economic risks of medical identity theft are also alarming. If the

fraudster’s medical information is incorporated into the victim’s records, that

person could receive incorrect diagnoses and treatments. See Laura Shin, Why

Medical Identity Theft Is Rising and How to Protect Yourself, Forbes (May 29,

41 http://www.reuters.com/article/us-cybersecurity-hospitals-iudUSKCN0HJ21I20140924. 42 http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf.

18

2015)43 (noting the risk that a victim “could receive medication to which she is

allergic, or her record may contain the incorrect blood type”).

b. Tax Return, Government Benefits, and Employment Identity Theft Fraud

Stolen SSNs and other personal information are also used to file false tax

returns; receive unemployment, food stamps, and Social Security benefits; apply

for student loans; and obtain drivers’ licenses and passports. See FTC, Guide for

Assisting Identity Theft Victims 43–45 (Sept. 2013) [hereinafter FTC, ID Theft

Guide].44 Tax refund identity theft occurs when a criminal uses “an individual’s

SSN, date of birth, or other PII” to “file a fraudulent tax return seeking a refund.”

U.S. Gov’t Accountability Office, GAO-16-589T, IRS Needs to Further Improve

Controls Over Taxpayer Data and Continue to Combat Identity Theft Refund

Fraud 1–2 (2016).45 The Internal Revenue Service (“IRS”) estimates that it paid

out $3.1 billion in fraudulent tax refunds for the 2014 filing season. Id.

Employment identity theft occurs when a victim’s name and SSN is used to

obtain employment. Criminals may user another person’s identifying information

when applying for jobs if they have a criminal record that may prevent hiring, or if

they are not legally authorized to work in the United States. See FTC, ID Theft

Guide, supra.

43 http://www.forbes.com/sites/laurashin/2015/05/29/why-medical-identity-theft-is-rising-and-how-to-protect-yourself/#4dead9fde200. 44 https://www.consumer.ftc.gov/articles/pdf-0119-guide-assisting-id-theft-victims.pdf. 45 http://www.gao.gov/assets/680/676493.pdf.

19

c. Criminal Identity Theft

Criminal identity theft occurs when a victim’s identifying information is

given to law enforcement during the investigation of a crime or upon arrest. See

FTC, ID Theft Guide, supra. Victims may be unaware of this fraudulent activity

until “the victim is unexpectedly detained, arrested, denied employment, or

terminated from employment.” Id. This type of fraud can occur in crimes from

traffic violations to felonies. See Aaron Sankin, How to Change Your Social

Security Number If You Get Hacked, Daily Dot (June 17, 2015).46

3. Credit monitoring cannot effectively protect data breach victims from non-financial identity theft.

Credit monitoring provides only weak, short-term assistance to individuals

at risk of identity theft, and does not prevent thieves from accessing credit files or

opening new accounts. Credit monitoring services only notify victims after

fraudulent activity occurs. See Brian Krebs, OPM (Mis)Spends $133M on Credit

Monitoring, Krebs on Security (Sept. 15, 2015).47 Moreover, companies typically

offer credit monitoring for only a year or two after a data breach, but the risk of

identity theft can last a lifetime. See Identity Theft Res. Ctr., The Limits of ID-Theft

Protection and Credit Monitoring (Aug. 10, 2015)48 (“Regardless of how long you

may be provided free identity-theft protection as a result of a data breach event,

your information can still be misused for eternity.”). Certain services do not even

46 http://www.dailydot.com/politics/change-social-security-number-ssn/. 47 http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/. 48 http://www.idtheftcenter.org/Identity-Theft/the-limits-of-id-theft-protection-and-credit-monitoring.html.

20

monitor credit reports at all three major national credit bureaus, creating the

potential that consumers may still be left unaware of fraudulent account activity

under their names.

Credit freezes, which are sometimes offered after data breaches, can provide

some protection against financial fraud, but they can also have severe side effects.

Neither a credit freeze nor credit monitoring can be effective at stopping identity

theft that does not involve pulling a credit report. See FTC, ID Theft Guide, supra.

Credit reports are not involved in cases of medical, tax, and criminal identity theft.

Additionally, credit freezes must be lifted whenever an individual needs to run a

credit check. “That can create hassles, delays, and other problems if you need to

apply for a loan, credit card, or a job; obtain insurance; rent an apartment; set up

electric or phone service; and more.” Anthony Giorgianni, Should You Freeze Your

Credit File?, Consumer Reports (Feb. 22, 2014).49 Many employers will not hire

applicants without a credit check. Creating and lifting credit freezes can cost

between two to fifteen dollars per bureau. Id.

D. Companies need to take adequate precautions in order to avoid data breaches.

The threat of data breach and identity theft may be pervasive, but it is not

unavoidable. Many of the most serious breaches that have occurred since Reilly

could have been avoided by implementing well known data security procedures or

minimizing the collection and storage of personal information. Prior investigations

49 http://www.consumerreports.org/cro/news/2014/02/should-you-put-a-security-freeze-on-the-credit-file/index.htm.

21

have shown that upwards of 75% of data breaches are possible without any

specialized hacking knowledge or skills. Verizon, 2013 Data Breach Investigations

Report 48–49 (2013).50 In many cases, attackers gain access because of well-

known vulnerabilities or carelessness by the company that collected the data.

Many of the most severe breaches were predicted long before they occurred.

The OPM Inspector General had “reported critical weaknesses in OPM’s ability to

manage its IT environment,” and “warned that the agency” for years that it “was at

an increased risk of a data breach.” Office of Pers. Mgmt., Office of the Inspector

Gen., 4A-CI-00-15-011, Final Audit Report: Federal Information Security

Modernization Act Audit FY 2015, at 5 (Nov. 10, 2015).51

Many breaches are also made worse by lax security within a company’s

internal network. An expert report conducted after a 2013 breach revealed that

“[o]nce inside Target’s network, there was nothing to stop attackers from gaining

direct and complete access to every single cash register in every Target store.”

Brian Krebs, Inside Target Corp., Days After 2013 Breach, Krebs on Security

(Sept. 21, 2015).52 Target also failed to respond to security alerts flagging the

attack in process. Riley et al., supra.

Security experts and courts can agree on baseline principles of reasonable

data security. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 256 (3d Cir.

50 http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf. 51 https://www.opm.gov/our-inspector-general/reports/2015/federal-information-security-modernization-act-audit-fy-2015-final-audit-report-4a-ci-00-15-011.pdf. 52 http://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/.

22

2015) (finding that the FTC could bring a claim for inadequate data security based

on a company’s failure to implement several widely accepted data security

practices); Cybsersecurity and Data Protection in the Financial Sector: Hearing

Before the Subcomm. on Fin. Inst. & Consumer Credit of the H. Comm. on Fin.

Servs., 112th Cong. 12 (Sept. 14, 2011) (testimony of Marc Rotenberg, Executive

Director, EPIC)53 (noting that companies “need to know that they will be expected

to protect the data they collect and that, when they fail to do so, there will be

consequences”).

An expert panel chaired by Willis Ware explained in 1970 that a

“combination of hardware, software, communication, physical personnel, and

administrative-procedural safeguards is required for comprehensive security.” Def.

Sci. Bd. Task Force on Comput. Sec., Security Controls for Computer Systems, at

vi (1970).54 Companies that collect and store consumer information must develop a

proactive and comprehensive security plan, tailored to the organization’s business

objectives and information systems. IBM, Winning the Battle of the Breach

(2015).55 The plan should address data minimization, IT systems, and

organizational procedures. See generally Kroll, Data Breach Prevention Tips

(2015);56 Symantec, 6 Steps to Prevent a Data Breach (Nov. 2009).57

53 http://financialservices.house.gov/uploadedfiles/091411rotenberg.pdf. 54 https://assets.documentcloud.org/documents/2800105/Document-01-Defense-Science-Board-Task-Force-on.pdf. 55 https://www-03.ibm.com/security/data-breach/prevention.html. 56 http://www.kroll.com/en-us/cyber-security/data-breach-prevention/cyber-risk-assessments/data-breach-prevention-tips.

23

First, companies should embrace data minimization; criminals can’t steal

what a company doesn’t have. White House, Consumer Data Privacy in a

Networked World: A Framework for Protecting Privacy and Promoting Innovation

in the Global Economy 21 (Feb. 23, 2012)58 (stating that companies “should collect

only as much personal data as they need to accomplish purposes” and “should

securely dispose of or de-identify personal data once they no longer need it, unless

they are under a legal obligation to do otherwise”); Kroll, supra. Companies

should only collect information as needed and purge it once the need is gone,

should limit the number of places where data is stored, and should grant employees

access to data only on an “as-needed” basis. Consumer Data Protection in a

Networked World, supra; Kroll, supra; see also Ernie Hayden, Data Breach

Protection Requires New Barriers, SearchSecurity (May 2013)59 (discussing

“islanding” sensitive data to minimize breaches).

Second, if companies do choose to collect and store consumer data, they

must implement adequate technical protections. Industry standards now provide a

comprehensive framework to guide companies that handle sensitive consumer

data. Brief for EPIC and Thirty-Three Technical Experts and Legal Scholars as

Amicus Curiae Supporting Respondents, FTC v. Wyndham Worldwide Corp., 799

57 http://eval.symantec.com/mktginfo/enterprise/other_resources/b-6-steps-prevent-data-reach_20049431-1.en-us.pdf. 58 http://www.whitehouse.gov/sites/default/files/privacy-final.pdf. 59 http://searchsecurity.techtarget.com/feature/Data-breach-protection-requires-new-barriers.

24

F.3d 236 (3d Cir. 2015) (No. 14-3514)60 (outlining three well-established

cybersecurity standards that detail how database operators must identify vulnerable

hardware, protect sensitive data, and respond to attacks). Last year, this Court

found that Wyndham had fair notice of its inadequate cybersecurity practices when

it stored payment card information in clear readable text, allowed easily guessed

passwords, failed to use readily available security measures (such as firewalls, IP

address restrictions, and encryption), failed to adequately restrict the access of

third-party vendors to its networks, failed to employ reasonable measures to detect

and prevent unauthorized access, and failed to follow proper incident response

procedures. Wyndham, 788 F.3d at 240–41, 256.

Finally, companies must strengthen organizational procedures that build and

reinforce a culture of security. Kroll, supra. Companies must educate employees

“about appropriate handling and protection of sensitive data.” Id.; see also IBM,

supra. To prevent inadvertent (or intentional) breaches, they must also develop

protocols for remote access, on- and off-site data storage, and employee exit. Kroll,

supra. Companies should ensure that venders and partners maintain the same data

security standards to prevent indirect attacks. Id.

Data breaches are one of the largest threats facing American consumers

today. Reasonable data security measures can help to minimize the risk of attack

and reduce the consequential harm if a breach occurs. Courts should ensure that the

law encourages improved data security standards. Creating barriers to those who

60 https://epic.org/amicus/ftc/wyndham/Wyndham-Amicus-EPIC.pdf.

25

seek to strengthen data protection will magnify the risks American consumers

already face.

II. Companies that collect and store sensitive consumer data are in the best position to prevent data breaches, and should be held liable when they fail to adopt reasonable data security measures.

The lower court fundamentally misunderstood the role of liability in

preventing accidents when it lamented that data breach suits would be “unduly

burdensome” to business. Mem. Op. 19. Liability for data breaches is necessarily

assigned to companies in order to internalize the harms that follow from the

company’s decisions to (a) collect and use personal information but (b) not adopt

reasonable data security measures. Without the appropriate allocation of liability,

there is little reason for a company to invest in prevention and mitigation. Even

worse, misallocation of liability allows companies to profit from consumers’

personal information but leave them to bear the immediate harms and downstream

consequences of the company’s failure to implement data security.

The doctrine of reasonable care is based on the theory that the party who is

in the best position to avoid harm—i.e., the “least-cost avoider”—should bear the

costs of an accident. See Guido Calabresi, The Costs of Accidents: A Legal And

Economic Analysis 135 (1970) (“A pure market approach to primary accident cost

avoidance would require allocation of accident costs to those acts or activities (or

combinations of them) which could avoid the accident costs most cheaply.”); see

also Richard Coase, The Problem of Social Cost, 3 J. Law & Econ. 1 (1960)

(articulating a theory of cost allocation to promote efficient allocations of property

resources). Liability rules that hold a least-cost avoider responsible for

26

unreasonable conduct thus create the socially efficient outcome of least

consequential harm at least preventative cost.

Correctly identifying the least-cost avoider becomes particularly important

where transaction costs are high, as in the case of one party injuring a large and

diffuse group of individuals. Calabresi, supra, at 135–38; see Harold Demsetz,

When Does the Rule of Liability Matter?, 1 J. Legal. Stud. 13, 27–28 (1972)

(arguing that when transaction costs are high, the legal system can “improve the

allocation of resources by placing liability on that party who in the usual situation

could be expected to avoid the costly interaction most cheaply”).

“Database operators”—such as companies that collect and store consumer

data—“constitute the cheapest cost avoiders vis-à-vis individuals whose

information sits in a private entity’s database.” Danielle Keats Citron, Reservoirs

of Danger: the Evolution of Public and Private Law at the Dawn of the

Information Age, 80 Southern Cal. L. Rev. 241, 284 (2007) (arguing that data

brokers should be strictly liable for unsecure databases and data breaches); cf. Brief

for EPIC as Amicus Curiae Supporting Appellants, at 3–4, Gordon v. Softech

Intern., Inc., 726 F.3d 42 (2d Cir. 2013) (No. 12-661) (arguing for similar liability

for resellers of driver’s records). A company maintaining databases of consumer

data “has exclusive knowledge about, and control over, its information system.”

Citron, supra, at 285. Critical for effective minimization of threats, these

companies “have distinct informational advantages about the vulnerabilities in

their computer networks.” Id.

27

Consumers do not have the ability to avoid these breaches because they

“have no information about, and have no practical means to find out, where their

personal data resides” or how it is protected. Id. at 285–86; see also Understanding

Consumer Attitudes About Privacy: Hearing Before the Subcomm. on Commerce,

Manufacturing, and Trade of the House Comm. on Energy and Commerce 102–03

(Oct. 13, 2011) (testimony of Prof. Alessandro Acquisti)61 (“Research has

suggested that US consumers are often ill-informed about the collection and usage

of their personal information, and the consequences of those usages. This puts

them in a position of asymmetric information, and sometimes disadvantage,

relative to the data holders that collect and use that information.”).

Even if consumers knew where to look, they “cannot detect and understand

the security offered” by database operators. Citron, supra, at 284–85. “Even

individuals knowledgeable about information security will find it difficult to assess

how well a database system is designed and implemented.” Id. at 285. And even if

consumers did know how to secure their data, “it is unclear what [they] could do if

informed about a database operator’s vulnerabilities.” Id.

Unlike the companies, consumers cannot effectively insure against the risk

of identity theft. Id. Experts have found that identity theft insurance “falls way

short” of what consumers need. Priya Anand, Is Identity-Theft Insurance a Waste

61 https://www.gpo.gov/fdsys/pkg/CHRG-112hhrg74605/pdf/CHRG-112hhrg74605.pdf.

28

of Money? MarketWatch (Mar. 31, 2014).62 Unlike car insurance, which covers car

damage and personal injuries, identity theft insurance doesn’t cover the injuries

consumers suffer after their identity is stolen. Nancy Mann Jackson, Identity Theft

Insurance: How Does It Work and Will It Save Your Good Name?, Bankrate (June

15, 2015).63 These policies reimburse for certain enumerated costs: phone bills,

notary and certified mailing costs, lost wages, or attorney fees. Id. But they do not

reduce the most substantial cost: “the time and hassle required to rectify the

situation.” Id.

The data breach problem also cannot be solved through simple market

economics. Citron, supra, at 286. Bringing together hundreds of millions of

consumers to bargain with every database operator would be prohibitively

expensive and logistically impossible. Id. “Large consumer blocks also encounter

difficulty expressing collectively their relative preferences.” Id. (internal quotation

marks and modifications omitted). These substantial transaction costs counsel

towards “imposing liability on the party best able to reduce costs” in order to result

“in the most efficient allocation of resources.” Id. at 286–87 (citing Demsetz,

supra).

Consequentially, the company collecting and storing consumer data “sits in

the best position to make decisions about the costs and benefits of its information-

gathering” and distribution. Id. at 285. As such, they must bear the cost for failing

62 http://www.marketwatch.com/story/is-identity-theft-insurance-a-waste-of-money-2014-03-31. 63 http://www.bankrate.com/finance/insurance/insurance-identity-theft-1.aspx.

29

to implement adequate data security. But correct allocation of responsibilities does

not by itself result in the efficient minimization of harm. If defendants liable for

legal injury do not actually implement adequate data security measures, then

consumers will continue to be injured and face devastating downstream harms.

Non-litigation methods are currently insufficient to incentivize companies to

implement reasonable data security protections. No federal agency has sufficient

authority to issue or enforce rules establishing minimum data security standards.

The only federal agency that has been active in enforcing data security standards

against commercial data collectors is the FTC, which can only do so under its

“unfair or deceptive” trade practices authority. See FTC v. Wyndham Worldwide

Corp., 799 F.3d 236, 247 (3d Cir. 2015) (holding that the FTC can regulate

cybersecurity as an unfair trade practice). The only recent proposal considered by

Congress, a federal data breach notification rule, would not address security

standards. See White House, Fact Sheet: Safeguarding American Consumers &

Families (Jan. 12, 2015).64

Litigation, therefore, is an important mechanism to ensure that personal data

is adequately protected. See Richard A. Posner, Economic Analysis of Law 491 (3d

ed. 1986) (stating that the legal system determines “what allocation of resources

would maximize efficiency” when “the costs of a market determination would

exceed those of a legal determination”). Damages also force defendants to

64 https://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families.

30

internalize the full measure of the harm and take sufficient care to prevent future

injury. See Friends of the Earth, Inc. v. Laidlaw Envtl. Serv. (TOC), Inc., 528 U.S.

693, 185 (2000) (finding that civil penalties have a deterrent effect and can

therefore prevent future injury).

What the lower court in this case has failed to recognize is that there are at

least four distinct categories of damages caused by data breaches: (1) the costs of

mitigating identity theft and financial fraud; (2) the increased risk of identity theft

and fraud; (3) unauthorized transactions and credit-based identity theft; and (4)

more pernicious forms of identity theft, see Part I.C, supra. The lower court

mistakenly assumed that credit-based fraud is the only category of damages,

concluding that the plaintiffs’ “credit information and bank accounts look the same

today as they did prior to” the data breach. Mem. Op. 14. By excluding recovery

for the other three categories of damages, the lower court allowed the defendant to

ignore the wide range of risks consumers face because of the company’s lax

security practices. Victims will be unable to seek redress for the most pernicious

costs of data breach, including damage to their reputation, employment prospects,

and credit.

Since the Reilly decision in 2011, the problem of data breaches has become

widespread in the United States. Few dispute the growing risks. To erect barriers to

those who now seek to improve data protection invites more identity theft and

financial fraud in the future.

31

CONCLUSION

EPIC respectfully requests that this Court reverse the lower court’s order

granting Appellee’s motion to dismiss.

Respectfully submitted,

/s/ Marc Rotenberg Marc Rotenberg

Counsel of Record Alan Butler Claire Gartland Aimee Thomson Electronic Privacy Information Center 1718 Connecticut Ave. N.W. Suite 200 Washington, D.C. 20009 (202) 483-1140

CERTIFICATE OF COMPLIANCE WITH FEDERAL RULES

This brief complies with the type-volume limitation of Fed. R. App. P. 29(d)

and Fed. R. App. P. 32(a)(7)(B) because it contains 6,853 words, excluding the

parts of the brief exempted by Fed. R. App. P. 32(a)(7)(B)(iii). This brief also

complies with the typeface requirements of Fed. R. App. P. 32(a)(5) and the type

style requirements of Fed. R. App. P. 32(a)(6) because this brief has been prepared

in a proportionally spaced typeface using Microsoft Office Word for Mac 2011 in

14 point Times New Roman.

Dated: April 18, 2016

/s/ Marc Rotenberg Marc Rotenberg

CERTIFICATE OF COMPLIANCE WITH LOCAL RULES

I certify that I have complied with LAR 31.1(c) because this file was

scanned by the most current version of Virus Total, https://www.virustotal.com,

and no virus was detected. I also certify that I am a member of the bar of this court,

and that the text of this electronically filed brief is identical to the text of the 10

paper copies mailed to the court.

Dated: April 18, 2016

/s/ Marc Rotenberg Marc Rotenberg

CERTIFICATE OF SERVICE

I hereby certify that on April 18, 2016, I electronically filed the foregoing

Brief of Amici Curiae Electronic Privacy Information Center Support of Appellant

with the Clerk of the United States Court of Appeals for the Third Circuit using the

CM/ECF system. All parties are to this case will be served via the CM/ECF

system. Dated: April 18, 2016

/s/ Marc Rotenberg Marc Rotenberg